Hi all,
I currently have the following flow working :
1. Sign my binaries with the organization's certificate (specifically, EV
certificate).
2. Run HLK tests on signed binaries
3. Create HLK project with HLK results and signed binaries, sign the package,
and submit it to microsoft.
4. Get binaries signed with microsoft
What I would like to know, is whether I can perform the tests, on binaries that
are self signed with self created cross certificates (using makecert). And then
in step 2, use those HLK results, along with the *Real "organization signed"
binaries".
That is, does microsoft only check that the underlining driver is the same
between the HLK results and the submitted drivers is the same ? Or do they check
that those are the same binaries *exactly* (including the signature).
The reason that I am even asking, is that our signing machine is in a different
networks. And in order to get back signed drivers into the network with the HLK
it takes another "round" of bringing files back and forth, which I would be
happy if we can do without.
Thanks

Message 2 of 4

11 Jun 18 02:52

Tim Roberts

xxxxxx@probo.com

Join Date: 28 Jan 2005

Posts To This List: 12023

HLK Tests and EV certificate

On Jun 10, 2018, at 11:36 PM, xxxxx@gmail.com wrote:
>
> What I would like to know, is whether I can perform the tests, on binaries
that are self signed with self created cross certificates (using makecert). And
then in step 2, use those HLK results, along with the *Real "organization
signed" binaries".
>
> That is, does microsoft only check that the underlining driver is the same
between the HLK results and the submitted drivers is the same ? Or do they check
that those are the same binaries *exactly* (including the signature).
In theory, the certificates are not included in the PE file checksum, and I
believe that's what HLK uses to validate it is the same driver you tested.
It is not strictly necessary to sign the binaries you send to the dashboard.
You have to sign the HLK results, but WHQL is going to sign your binaries,
create a new CAT, and sign that.
???
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Message 3 of 4

11 Jun 18 12:14

Peter Viscarola

xxxxxx@osr.com

Join Date:

Posts To This List: 6254

List Moderator

HLK Tests and EV certificate

What Mr. Robert's said is entirely correct.
You *only* need the EV cert to prove who you are for your dashboard account.
You can then use either that EV cert, or a non-EV cert (that you have ALSO
registered with the dashboard) to sign submissions.
As Mr. Roberts said, you *can* use your EV cert to sign your binaries... and
there's really no reason not to.
Peter
OSR
@OSRDrivers

Message 4 of 4

11 Jun 18 23:23

R0b0t1

xxxxxx@gmail.com

Join Date: 24 Mar 2017

Posts To This List: 127

HLK Tests and EV certificate

On Mon, Jun 11, 2018 at 11:14 AM, xxxxx@osr.com wrote:
> What Mr. Robert's said is entirely correct.
>
> You *only* need the EV cert to prove who you are for your dashboard account.
You can then use either that EV cert, or a non-EV cert (that you have ALSO
registered with the dashboard) to sign submissions.
>
> As Mr. Roberts said, you *can* use your EV cert to sign your binaries... and
there's really no reason not to.
>
It's probably easier to revoke your non-EV certificate in the case the
certificate is compromised.

Posting Rules

You may not post new threads

You may not post replies

You may not post attachments

You must login to OSR Online AND be a member of the ntdev list to be able to post.